comscore
हिंदी
  • Home
  • News
  • Nothing CMF Phone 1 breached in under a minute? This research shows concerning MediaTek vulnerability

Nothing CMF Phone 1 breached in under a minute? This research shows concerning MediaTek vulnerability

Security researchers demonstrated that Nothing’s CMF Phone 1 could be breached in under 45 seconds due to a MediaTek vulnerability affecting millions of Android devices.

Edited By: Divya | Published By: Divya | Published: Mar 12, 2026, 07:50 PM (IST)

CMF by Nothing Phone 1

photo icon Researchers Hack CMF Phone 1 in 45 Seconds Using MediaTek Vulnerability

  • whatsapp
  • twitter
  • facebook
  • whatsapp
  • twitter
  • facebook

A new security finding has raised fresh questions about how safe our smartphones really are. Security researchers have demonstrated that Nothing’s CMF Phone 1 can be breached in under a minute due to a vulnerability tied to certain MediaTek chips.  news Also Read: Why Meta took down 11 million Facebook and Instagram accounts

The research doesn’t mean every device is immediately at risk. But it does highlight how weaknesses deep inside a phone’s architecture can expose sensitive information if they’re not patched in time. news Also Read: Google Pay Users Should Know These Important Safety Tips

What the researchers discovered

The vulnerability was identified by Ledger Donjon, the security research division of cryptocurrency company Ledger. Their team demonstrated the issue using the CMF Phone 1, which runs on a MediaTek Dimensity 7300 chipset.

In a post on X, Charles Guillemet explained the seriousness of the finding. “Donjon Ledger has struck again, discovering a MediaTek vulnerability potentially impacting millions of Android phones,” Guillemet wrote. “Even when powered off, user data – including pins and seeds – can be extracted in under a minute.” During the demonstration, researchers connected the phone to a laptop and managed to bypass key security protections in about 45 seconds.

How the attack works

The flaw is linked to Trustonic’s Trusted Execution Environment (TEE), a secure area within certain MediaTek processors designed to protect sensitive information like PINs, encryption keys, and authentication data.

By exploiting this environment, researchers were able to recover the phone’s PIN, decrypt stored data, and even extract seed phrases from cryptocurrency wallets. What makes this discovery notable is that the attack did not require the Android system to be running.

According to Guillemet, “Without ever even booting into Android, the exploit automatically recovered the phone’s PIN, decrypted its storage, and extracted the seed phrases from the most popular software wallets.”

Could other phones be affected?

The issue isn’t limited to a single device. Because the vulnerability sits within the processor’s trusted execution environment, it could potentially affect millions of Android smartphones using MediaTek Dimensity or Helio chips that rely on the same security design. That said, exploiting the flaw requires physical access to the phone, which significantly limits how easily it could be abused in real-world situations.

Add Techlusive as a Preferred SourceAddTechlusiveasaPreferredSource

Should you worry? 

According to Guillemet, MediaTek has already issued a security patch to device manufacturers. “MediaTek confirmed providing a fix to OEMs on January 5, 2026,” he wrote, adding that the vulnerability has been registered as CVE-2025-20435. Whether all affected devices have received the update yet remains unclear.